Results 1  10
of
11
Signature Schemes Based on the Strong RSA Assumption
 ACM TRANSACTIONS ON INFORMATION AND SYSTEM SECURITY
, 1998
"... We describe and analyze a new digital signature scheme. The new scheme is quite efficient, does not require the the signer to maintain any state, and can be proven secure against adaptive chosen message attack under a reasonable intractability assumption, the socalled Strong RSA Assumption. Moreove ..."
Abstract

Cited by 163 (8 self)
 Add to MetaCart
We describe and analyze a new digital signature scheme. The new scheme is quite efficient, does not require the the signer to maintain any state, and can be proven secure against adaptive chosen message attack under a reasonable intractability assumption, the socalled Strong RSA Assumption. Moreover, a hash function can be incorporated into the scheme in such a way that it is also secure in the random oracle model under the standard RSA Assumption.
Efficient generation of shared RSA keys
 Advances in Cryptology  CRYPTO 97
, 1997
"... We describe efficient techniques for a number of parties to jointly generate an RSA key. At the end of the protocol an RSA modulus N = pq is publicly known. None of the parties know the factorization of N. In addition a public encryption exponent is publicly known and each party holds a share of the ..."
Abstract

Cited by 132 (5 self)
 Add to MetaCart
We describe efficient techniques for a number of parties to jointly generate an RSA key. At the end of the protocol an RSA modulus N = pq is publicly known. None of the parties know the factorization of N. In addition a public encryption exponent is publicly known and each party holds a share of the private exponent that enables threshold decryption. Our protocols are efficient in computation and communication. All results are presented in the honest but curious settings (passive adversary).
Proof Systems for General Statements about Discrete Logarithms
, 1997
"... Proof systems for knowledge of discrete logarithms are an important primitive in cryptography. We identify the basic underlying techniques, generalize these techniques to prove linear relations among discrete logarithms, and propose a notation for describing complex and general statements about know ..."
Abstract

Cited by 65 (5 self)
 Add to MetaCart
Proof systems for knowledge of discrete logarithms are an important primitive in cryptography. We identify the basic underlying techniques, generalize these techniques to prove linear relations among discrete logarithms, and propose a notation for describing complex and general statements about knowledge of discrete logarithms. This notation leads directly to a method for constructing efficient proof systems of knowledge. 1 Introduction Many complex cryptographic systems, such as payment systems (e.g. see [1, 2, 4]) and voting schemes [11], are based on the difficulty of the discrete logarithm problem. These systems make use of various minimumdisclosure proofs of statements about discrete logarithms [13, 7, 6, 10]. Typical examples are efficient proofs of knowledge of a discrete logarithm which are based on Schnorr's digital signature scheme [18] and systems for proving the equality of two discrete logarithms, as used in [8]. The goal of this paper is to identify the basic techniques...
Verifiable encryption, group encryption, and their applications to group signatures and signature sharing schemes
, 2000
"... Abstract. We generalize and improve the security and efficiency ofthe verifiable encryption scheme ofAsokan et al., such that it can rely on more general assumptions, and can be proven secure without assuming random oracles. We extend our basic protocol to a new primitive called verifiable group enc ..."
Abstract

Cited by 54 (9 self)
 Add to MetaCart
Abstract. We generalize and improve the security and efficiency ofthe verifiable encryption scheme ofAsokan et al., such that it can rely on more general assumptions, and can be proven secure without assuming random oracles. We extend our basic protocol to a new primitive called verifiable group encryption. We show how our protocols can be applied to construct group signatures, identity escrow, and signature sharing schemes from a wide range of signature, identification, and encryption schemes already in use. In particular, we achieve perfect separability for all these applications, i.e., all participants can choose their signature and encryption schemes and the keys thereofindependent ofeach other, even without having these applications in mind. 1
ManytoMany Invocation: A new object oriented paradigm for ad hoc collaborative systems
 17th Annual ACM Conference on Object Oriented Programming Systems, Languages, and Applications (OOPSLA 2002), Onward track
, 2002
"... ManytoMany Invocation (M2MI) is a new paradigm for building collaborative systems that run in wireless proximal ad hoc networks of xed and mobile computing devices. M2MI is useful for building a broad range of systems, including multiuser applications (conversations, groupware, multiplayer games ..."
Abstract

Cited by 32 (6 self)
 Add to MetaCart
(Show Context)
ManytoMany Invocation (M2MI) is a new paradigm for building collaborative systems that run in wireless proximal ad hoc networks of xed and mobile computing devices. M2MI is useful for building a broad range of systems, including multiuser applications (conversations, groupware, multiplayer games); systems involving networked devices (printers, cameras, sensors); and collaborative middleware systems. M2MI provides an object oriented method call abstraction based on broadcasting. An M2MI invocation means \Every object out there that implements this interface, call this method. " An M2MIbased application is built by dening one or more interfaces, creating objects that implement those interfaces in all the participating devices, and broadcasting method invocations to all the objects on all the devices. M2MI is layered on top of a new messaging protocol, the ManytoMany Protocol (M2MP), which broadcasts messages to all nearby devices using the wireless network's inherent broadcast nature instead of routing messages from device to device. M2MI synthesizes remote method invocation proxies dynamically at run time, eliminating the need to compile and deploy proxies ahead of time. As a result, in an M2MIbased system, central servers are not required; network administration is not required; complicated, resourceconsuming ad hoc routing protocols are not required; and system development and deployment are simplied.
Indifferentiability, Impossibility Results on Reductions, and Applications to the Random Oracle Methodology
 Theory of Cryptography  TCC 2004, Lecture Notes in Computer Science
, 2003
"... The goals of this paper are threefold. First we introduce and motivate a generalization of the fundamental concept of the indistinguishability of two systems, called indifferentiability. This immediately leads to a generalization of the related notion of reducibility of one system to another. Secon ..."
Abstract

Cited by 10 (1 self)
 Add to MetaCart
(Show Context)
The goals of this paper are threefold. First we introduce and motivate a generalization of the fundamental concept of the indistinguishability of two systems, called indifferentiability. This immediately leads to a generalization of the related notion of reducibility of one system to another. Second, we prove that...
Cryptography Based on Number Fields with Large Regulator
, 2000
"... We explain a variant of the FiatShamir identification and signature protocol that is based on the intractability of computing generators of principal ideals in algebraic number fields. We also ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
We explain a variant of the FiatShamir identification and signature protocol that is based on the intractability of computing generators of principal ideals in algebraic number fields. We also
Forking Lemmas in the Ring Signatures' Scenario
 Proc. of Indocrypt’03, Springer LNCS
, 2003
"... Pointcheval and Stern introduced in 1996 some forking lemmas useful to prove the security of a family of digital signature schemes. This family includes, for example, Schnorr's scheme and a modification of ElGamal signature scheme. In this work we generalize... ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
Pointcheval and Stern introduced in 1996 some forking lemmas useful to prove the security of a family of digital signature schemes. This family includes, for example, Schnorr's scheme and a modification of ElGamal signature scheme. In this work we generalize...
Anonymous Authentication With Subset Queries (Extended Abstract)
 IN ‘ACM CONFERENCE ON COMPUTER AND COMMUNICATIONS SECURITY’, ACM PRESS
, 1999
"... We develop new schemes for anonymous authentication that support identity escrow. Our protocols also allow a prover to demonstrate membership in an arbitrary subset of users; key revocation is an important special case of this feature. Using the FiatShamir heuristic, our interactive authentication ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
We develop new schemes for anonymous authentication that support identity escrow. Our protocols also allow a prover to demonstrate membership in an arbitrary subset of users; key revocation is an important special case of this feature. Using the FiatShamir heuristic, our interactive authentication protocols yield new constructions for noninteractive group signature schemes. We use the higherresiduosity assumption, which leads to greater efficiency and more natural security proofs than previous constructions. It also leads to an increased vulnerability to collusion attacks, although countermeasures are available.